(End)User level access to objects in S3

Question

We are facing a use case where we need to store confidential images of the user on S3. Now as S3 is accessible over HTTP and if we give a read access to the objects they will be available to the world via web. We need to restrict the images/files only to that user. So the possible solutions we thought are:

1. URL masking in some way.(No idea exactly how)
   
2. storing the files/images by creating unique encrypted s3 keys
   eg: http://bucket.s3.amazon.com/clients/img/j84jaljvkeh774d/myimage.jpg

In the first one we may not get the cloudfront or cdn benefits as it might involve a independent proxy server.

The second one,is in a way secure as it would be difficult to predict the keyname,if its unique to a user.

Using ACl and bucket policies won't completely solve the problem. Also,if we write a policy which restricts IP addresses, the mobile app which uses the same API backend would end up not working as those would have requests originating from different IP's.

We know we cannot completely secure them,but do we have an approach to deal with such a scenario?Please share your inputs.

Answer 1

You want to use presigned URLs for this. You generate those for a fixed (short) period of time, for a specific user. If this URL gets leaked, it doesn't matter – because they expire.

If you do that, everything in your bucket can remain private.

If you're using Ruby, here's a glimpse how you'd do this: https://github.com/aws/aws-sdk-core-ruby/commit/f946c113ff24d97673d8ffd43cb4012c8e211992

Answer 2

This could be achieved by option one.

1. Disable the public access of files from S3 management console on AWS.
2. You only need to build expiring urls if you want to restrict access.
3. I suppose there must be a unique key available for each user. You can generate signed URLs using that key. for each object programmatically. Here is one example available for reference.